IA-5 is the relevant NIST control. Here's the control enhancement section and as you can see, it's all defined by the organization:
Control Enhancements: (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only cryptographically-protected passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
I think what they may actually be referring to is CJIS, not NIST. Here is the relevant control from that set:
5.6.2.1.1 Password Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall: 1. Be a minimum length of eight (8) characters on all systems. 2. Not be a dictionary word or proper name. 3. Not be the same as the Userid. 4. Expire within a maximum of 90 calendar days. 5. Not be identical to the previous ten (10) passwords. 6. Not be transmitted in the clear outside the secure location. 7. Not be displayed when entered.
Hi, I live in Little Rock. First, let me assure you that I'm not in any way defending the arrest, it was a stupid, stupid thing to do. John Walker is notorious in this town for being a race-baiting ambulance chaser. Google "Joshua Intervenors" for the highlights of his legal career if you'd care to learn more. tl:dr version is that he has filed a series of lawsuits against the school districts here dating back to 1982 that have accomplished little besides very nearly bankrupting LRSD. He has a history of antagonizing law enforcement in the area in the hopes of being arrested so that he can then sue everyone in sight. LRPD knows this and generally ignores him but for whatever reason, they didn't this time. Currently, all charges against both men have been dropped, the City Manager and the Police Chief have both publicly apologized (Walker made a very big deal of not accepting said apologies) and lawsuits are being prepared. The end result will be that the Citizens of Little Rock will write yet another check to this clown because a cop got frustrated and the perception of Little Rock as a racist Southern backwater will be reinforced. Good job all around./div>
This philosophy is what sets Techdirt apart from so many other sites for me. Content that doesn't insult my intelligence and actually tells me something worth knowing is what brings me here every damn day. Thank you for that./div>
I've still got the install CD and would have jumped at an updated digital copy. Yes Rights Holder, I would've paid you a second time for something I already own because the Win98 VM I currently use for older games gets the job done but GOG is steadily eliminating the need for it. Instead, you can't get out of your own way to make that possible and my money stays in my pocket. Also, I'm not interested in most of your new releases because they lean heavily on multi-player instead of gameplay. I realize this shows my age but spending an evening playing a game full of kids using aimbots while proudly displaying their ability to curse is just not my idea of fun. Now get off my damn lawn, I have clouds to yell at!/div>
Geico was one of the main drivers of this. A quick scan of their website doesn't turn up any reference to it now so it may be discontinued. It's use is typically linked to a rate reduction./div>
The Gawker / Daily Dot histrionics are really beginning to wear thin and I'm eternally grateful to the staff here for not following them down that particular rabbit hole./div>
Yup, that vote will be on the very next agenda. I imagine they'll justify it as a "privacy" issue for the faculty and staff and probably make some sort of claim that the reviews are misleading because they don't take into account some super secret data-set that students don't have access to. Based on that, they'll just take the whole thing offline./div>
What would prevent the hybrid ISP/content providers like Comcast from just slapping caps on their customers? Netflix and Hulu are viable because, for the most part, users have unlimited data for a monthly fee. What happens if that gets replaced with all the limits mobile providers are slapping on their customers these days? I'm not so sure this is going to be the bloodbath everyone expects./div>
All the publisher needs to do is turn the copyright industry loose on the internet. Surely all the revenue generated from the ensuing infringement lawsuits will more than cover the cost of the fines./div>
Techdirt has not posted any stories submitted by Kev.
NIST 800-53 Control Set
Control Enhancements:
(1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only cryptographically-protected passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
I think what they may actually be referring to is CJIS, not NIST. Here is the relevant control from that set:
5.6.2.1.1 Password
Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall:
1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the Userid.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered.
Either way, it's a shit policy./div>
Little Rock
This right here
For what it's worth...
(untitled comment)
Likely self-defense
Lost Sale
Also, I'm not interested in most of your new releases because they lean heavily on multi-player instead of gameplay. I realize this shows my age but spending an evening playing a game full of kids using aimbots while proudly displaying their ability to curse is just not my idea of fun. Now get off my damn lawn, I have clouds to yell at!/div>
Re: Re:
Re:
Thank You...
Re:
(untitled comment)
(untitled comment)
No problem!
Techdirt has not posted any stories submitted by Kev.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt